Security News > 2023 > September > Cybercriminals Combine Phishing and EV Certificates to Deliver Ransomware Payloads

The threat actors behind RedLine and Vidar information stealers have been observed pivoting to ransomware through phishing campaigns that spread initial payloads signed with Extended Validation code signing certificates.

In the incident investigated by the cybersecurity company, an unnamed victim is said to have first received a piece of info stealer malware with EV code signing certificates, followed by ransomware using the same delivery technique.

The attacks start with phishing emails that employ well-worn lures to trick victims into running malicious attachments that masquerade as PDF or JPG images but are actually executables that jump-start the compromise upon running.

While the campaign targeting the victim delivered stealer malware in July, a ransomware payload made its way in early August after receiving an email message containing a bogus TripAdvisor complaint email attachment, triggering a sequence of steps that culminated in the deployment of ransomware.

The recent set of attacks, detected since late June, are engineered to also deliver commodity malware such as Agent Tesla and Warzone RAT. A majority of the email messages have singled out English speakers, although emails in Spanish and Turkish have also been spotted.

"The type of software being used in those ads indicate that threat actors are interested in corporate victims that will provide them with credentials useful for further network 'pentesting' and, in some cases, ransomware deployment."

News URL

https://thehackernews.com/2023/09/cybercriminals-combine-phishing-and-ev.html